Closed Bug 1182865 Opened 10 years ago Closed 10 years ago

Assertion failure: this->is<T>(), at jsobj.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla42
Tracking Flags:
Tracking Status
firefox42 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
3.17 KB, text/plain
Details
patch
1.42 KB, patch
efaust
: review+
Details | Diff | Splinter Review
for (var j = 0; j < 99; j++) { Array[{ f() { eval() } }]; } asserts js debug shell on m-c changeset 7ec3e4b2a45f with --fuzzing-safe --no-threads --ion-eager at Assertion failure: this->is<T>(), at jsobj.h. Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/322487136b28 user: Brian Hackett date: Sun May 17 20:12:14 2015 -0600 summary: Bug 1162199 - Use unboxed objects by default, r=jandem. Brian, is bug 1162199 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5 * thread #1: tid = 0x17bbd1, 0x000000010024ab18 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`Interpret(JSContext*, js::RunState&) + 52 at jsobj.h:545, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010024ab18 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`Interpret(JSContext*, js::RunState&) + 52 at jsobj.h:545 frame #1: 0x000000010024aae4 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`Interpret(JSContext*, js::RunState&) [inlined] JSScript::getFunction(this=<unavailable>, index=<unavailable>) at jsscriptinlines.h:93 frame #2: 0x000000010024aae4 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`Interpret(cx=<unavailable>, state=0x00007fff5fbfefa8) + 87380 at Interpreter.cpp:3406 frame #3: 0x0000000100235515 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::RunScript(cx=0x00000001028a3180, state=0x00007fff5fbfefa8) + 405 at Interpreter.cpp:655 frame #4: 0x000000010024bd57 js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f`js::ExecuteKernel(cx=0x00000001028a3180, script=<unavailable>, scopeChainArg=0x000000010395d060, thisv=0x00007fff5fbff0e8, newTargetValue=0x00007fff5fbff0e0, type=EXECUTE_GLOBAL, evalInFrame=<unavailable>, result=<unavailable>) + 1191 at Interpreter.cpp:895 (lldb)
dupe of bug 1182060 ?
Attached patch patchSplinter Review
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8632924 - Flags: review?(efaustbmo)
Comment on attachment 8632924 [details] [diff] [review] patch Review of attachment 8632924 [details] [diff] [review]: ----------------------------------------------------------------- APPROVED.
Attachment #8632924 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/9834248c89de
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox42: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: